Tag Archives: PGP encryption

Encryption Becomes a Part of Journalists’ Toolkit

TEXT AND PHOTOS BY J. ZACH HOLLO FOR THE GROUNDTRUTH PROJECT & REPRINTED WITH PERMISSION.

WASHINGTON — When whistleblower Edward Snowden used an email encryption program called PGP to contact documentary filmmaker Laura Poitras, only a tiny fraction of journalists used it. The precaution, designed to scramble messages so only the sender and receiver can read them, was essential for Snowden to leak the information.

The series of stories that followed shocked the world and radically altered the way people think about government surveillance and the Internet. Now, encryption is becoming a standard item of the journalism toolkit, a must-have for anyone hoping to report on sensitive issues that might upset institutions of power. It was also the subject of a workshop recently held at Northwestern’s Medill newsroom in Washington, DC, which walked about 15 journalists through the basic software installations involved in setting up PGP, which is short for “Pretty Good Privacy” and ironically named after a grocery store in Garrison Keillor’s fictional town of Lake Wobegon.

Aaron Rinehart displays the GPG encryption download suite for those at the workshop to follow along. (J. Zach Hollo/THE GROUNDTRUTH PROJECT)

Aaron Rinehart displays the GPG encryption download suite for those at the workshop to follow along. (J. Zach Hollo/THE GROUNDTRUTH PROJECT)

For Aaron Rinehart, one of the workshop’s leaders, the goal is to protect the relationship between journalists and their sources, “to get journalists confident using these tools so sources feel they can give them information safely,” said Rinehart. Without that possibility, he said, the Fourth Estate could be fundamentally crippled.

And it’s not just the NSA journalists and sources need to protect themselves from, warned Rinehart. He used an example of a story exposing pharmaceutical malpractice. “It’s not that sexy of an issue, right? But just think of the potential adversaries.” There’s the government whose regulators screwed up, the drug companies who are poisoning people, and their stakeholders who don’t want to lose profits. With any story, there are likely a host of people who want to hack the journalist and sources to prevent the information from being aired.

The workshop was taught by Rinehart and digital security advisers David Reese and Ferdous Al-Faruque. Rinehart and Reese recently founded TestBed Inc., a technology consulting company. And Al-Faruque is a master’s journalism student at the University of Missouri who said he wants to establish a class there on encryption and cyber security.

Rinehart, who spent time in Djibouti while serving in the Marine Corps, said his motivation for putting on the workshop came from a time when journalism salvaged his college career. “The media saved me,” he said. About a decade ago, Rinehart faced a bureaucratic nightmare at the University of Missouri, when he returned from serving abroad and was not permitted to complete his studies. A local paper led an investigation into the problems veterans were having there, and the university changed policies. Since then, Rinehart said he tries to do all he can to help journalists.

Of the reporters who attended, many are intent on investigative work like the kind that exposed the NSA’s mass, indiscriminate surveillance. “Since I cover national security and defense, I would definitely use this to coax sources to communicate with me or send me documents that they don’t want their government or our government to see or know about,” said Kristina Wong, a reporter for The Hill.

But others also attended, including a cryptologist who said he comes to events like this out of professional interest, and a human rights worker.

“In a lot of countries, activists and human rights defenders especially are really targeted,” said Sarah Kinosian, who monitors American security assistance in Latin America for the Center for International Policy. “So we want to make sure [victims] can pass documentation to us in a safe way.”

The workshop began with Rinehart and Reese playing a segment of Citizen Four, Poitras’s documentary on Snowden and government surveillance that recently won an academy award.

“I would like to confirm out of email that the keys we exchanged were not intercepted and replaced by your surveillance,” a narrator said, reading Snowden’s correspondence with Poitras as a line of ominous tunnel light split darkness on the screen. “Please confirm that no one has ever had a copy of your private key and that it uses a strong passphrase.” Rinehart interjected: “That is what we will be teaching you today.”

He then spoke for a while on the importance of responsible password management, recommending a program called KeePass, before moving on to downloading email client software and installing extensions designed to encrypt communications.

The way it works can seem daunting and complex, especially for anyone not tech-savvy. The email extension, called GPG or PGP, generates both a public and private key for each user. When PGP is used to send an email, the sender uses the receiver’s public key to encrypt the contents of the email so only the receiver’s private key can decrypt it.

Also on the other end, the receiver can see that the sender’s identity is confirmed. A public key is just what it sounds like: something meant to be made public along with an email address so the owner can be contacted by anyone. The private key must be kept secret by the owner, and is used to decrypt messages sent using his or her public key.

In essence, it’s is the same concept of an email. Anyone can send a message to someone but only that someone can read it. But encryption makes it nearly impossible for that message to be intercepted. And while subpoenas can force Google or Yahoo to turn over peoples’ emails, PGP makes it impossible for Google and Yahoo to read the messages, so they’d be turning over incoherent nonsense (although it is still possible to see who the sender and receiver are, and the subject line of the email is not encrypted. Ergo, aliases are commonly used once initial contact is made).

Click here to see my public key.

Encryption’s complexity has deterred it from becoming widespread, even in newsrooms. “At The Hill, not many people use it at all,” said Wong, something many would deem troublesome given the publication’s focus on politics and aim to bring transparency to Washington.

But most people agree the complexity is in the technical details behind the process, not in its application. “The world of cryptology and algorithms and coding that goes into encryption tools is difficult for just about anyone to comprehend,” Rinehart said. “But using the tools is quite simple for people who take the time to learn.”

While the majority journalists still do not use encryption, it is becoming common practice for many organizations who do investigative work. The New Yorker, The Intercept, Washington Post, and ProPublica are a few of the early sign-ons for Secure Drop, a new encryption system for journalists designed by the Freedom of the Press Foundation and originally coded by Kevin Poulsen and the late Aaron Swartz. Gawker is another publication that uses it, showing encryption may become more widespread for groups focused on less hard-hitting subjects as well.

[Editor’s note: This piece originally appeared in The Huffington Post.]

Cracking the code: Workshop gives journalists a crash course in encryption

  • TestBed's Aaron Rinehart lectures to seminar attendees prior to the hands-on portion of the day on April 3, 2015. (Jennifer-Leigh Oprihory/MEDILL NSJI)

WASHINGTON — The minds behind TestBed, Inc., a Virginia-based IT consulting firm specializing in IT planning, analytics, testing, prototyping and business advice for the public and private sectors, gave journalists a crash course in digital safety and encryption techniques at an April 3 seminar in Washington.

The daylong event, “Cyber Security Skill Workshop for Journalists: Sending Secure Email,” was co-sponsored by the Medill National Security Journalism Initiative and the Military Reporters & Editors Association, and held in the Medill Washington newsroom.

The seminar began with an introductory lecture on cybersecurity basics and common misconceptions about online privacy and security. Security-related superstitions, such as the idea that browsing in so-called “incognito” or “invisible” modes will keep your digital whereabouts truly hidden, were promptly dispelled.

TestBed’s Aaron Rinehart and David Reese then transformed the event into a hands-on lesson in PGP – an acronym for “Pretty Good Privacy” – as well as understanding other aspects of digital fingerprints (including how to create a public key, how to register it in the Massachusetts Institute of Technology’s PGP directory so that you are more widely contactable by those in the encryption know and how to revoke (or deactivate) a key for security reasons.

The program also included a brief introduction to the Tor network, a group of volunteer-operated servers that allows people to improve their privacy and security on the Internet. Tor, originally developed by the U.S. Navy, hides the route taken from a computer’s IP address to its eventual browsing destination.

Learn how Tor works via Medill reporter William Hicks’ helpful primer and infographic here.

When asked for the top three lessons he hoped attendees would take away from the event, Rinehart emphasized the importance of “good key management,” or not sharing your private PGP key with anyone, operating “under good security practices”(such as updating software and antivirus programs) and making email encryption a regular habit.

“Don’t compromise convenience for security,” Rinehart said in a post-workshop interview. “Try to make this something you can use everyday.”

The event drew a mix of reporters, security experts and students, which included military veterans and defense journalists.

Northwestern University in Qatar journalism student James Zachary Hollo attended the event to research encryption resources available for foreign correspondents and to report on the workshop for the Ground Truth Project in Boston, where he is currently completing his Junior Residency.

Hollo said the seminar gave him a better understanding of how to use PGP.

“I had sort of experimented with it before I came here, but this gave me a much better and deeper understanding of it, and I got to sort of refine my ability to use it more,” he said.

Hollo said he was surprised that many attendees came from military service or military reporting backgrounds, since, in his view, “one of the blowbacks against the NSA story [involving whistleblower Edward Snowden] was that it’s like reporting is like betraying your country.”

 

Minimizing your digital trail

WASHINGTON — In popular culture, going “off the grid” is generally portrayed as either unsustainable or isolated: a protagonist angers some omniscient corporate or government agency and has to hole up in a remote cabin in the woods until he can clear his name or an anti-government extremist sets up camp, also in the middle of nowhere, living off the land, utterly cut off from society at large.

But is there a way to live normally while also living less visibly on the grid? What steps can you take to reduce your digital footprint that don’t overly restrict your movements?

What is a digital footprint?

Your digital footprint is the data you leave behind when you use a digital service—browse the web, swipe a rewards card, post on social media. Your digital footprint is usually one of two classifications: active or passive.

Your active digital footprint is any information you willingly give out about yourself, from the posts you put up on Facebook to the location information you give to your local mass transit system when you swipe your transit pass.

By contrast, your passive digital footprint is information that’s being collected about you without your express knowledge or authorization, for example, the “cookies” and “hits” saved when you visit a website. When you see personalized ads on Google, for example, those are tailored to you through collection of your personal preferences as inferred through collection of your passive digital footprint.

To assess my digital footprint, I looked through my wallet, my computer and my phone.

The footprint in your wallet

First, the wallet: I have several rewards cards, each representing a company that has a record of me in its database that shows how often I shop and what I buy, which is linked to my name, address, email and birthday—plus a security question in case I forget my password, usually my mother’s middle name.

While I would consider this information fairly benign—they don’t have my credit card information or my Social Security number—these companies can still make many inferences about me from my purchases. CVS, for example, could probably say fairly accurately if I’m sick based on my purchase of medications, whether I’m sexually active based on birth control purchases and any medical conditions I may have based on my prescription purchases.

If I wanted to minimize my digital footprint, I could terminate all my rewards accounts and refrain from opening any more. For me, though, it’s worth allowing these companies to collect my information in order to receive the deals, coupons and specials afforded me as a rewards member.

Next up is my transit pass, which is linked to my name, local address and debit card. The transit authority has a record of every time I swipe my way onto a city bus or train, a record of my movements linked to my name.

A minimal-footprint alternative to a transit pass is single-use fare cards. If purchased with cash, they would leave no record of my travels linked to my name. While this, like the rewards cards, is feasible, it’s far less convenient than the pass —so much less so that again I’m willing to compromise my privacy.

My debit card and insurance card are the two highest-value sources of personal information, but both are utterly necessary—living half a country away from my local credit union, I need my debit card to complete necessary transactions. My medical insurance card, relatively useless to identity thieves unless they have an ID with my name on it, does represent another large file in a database with my personal information—doctors’ visits, prescriptions and hospital stays for the past several years. People with just the physical card, not my license or information, can’t do much with that, but if a hacker gets to that information it could be very damaging.

No driver’s license? No credit card?

To minimize my digital footprint, then, I could pare down my wallet to just the absolute necessities—my insurance card, debit card and my license. You didn’t talk about your license

Computer footprint

If I’m guilty of leaving a large digital footprint, all my worst infractions probably happen across the Web.

Between Facebook, Twitter and Pinterest, I’ve broadcast my name, picture, email, hometown and general movements, if not my specific location, on each of those sites. Of the three, Facebook certainly has the most comprehensive picture of my life for the past seven years—where I’ve been, with whom, what I like and what I’m thinking.

If I wanted to take myself as far off the grid as feasible, simply deactivating the accounts wouldn’t work—Facebook keeps all your information there for you to pick up where you left off. You can permanently delete it with no option for recovery, but some information isn’t stored just on your account—messages exchanged with friends, for example, or any information shared with third-party apps.

If you keep using social networking sites, privacy policies change frequently, meaning that even if you choose the most restrictive privacy settings, you often have to go back and re-set them whenever the company changes its policy. Apps complicate things even further, farming out much of your information to third-party companies with different privacy policies.

Even if you’re vigilant about your privacy settings and eschew apps, your profile is only as private as your most public Facebook friend, said Paul Rosenzweig, a privacy and homeland security expert.

When shopping online, it’s important to check the privacy statements and security policies of the companies you’re using. If possible, purchase gift cards to the specific retailer or from credit card companies and use those to shop, so you don’t leave your credit card information vulnerable to breaches like that of Target.

I know that email is not my friend when it comes to online privacy, but I can’t operate without it.  I use Gmail on Google Chrome for my email, so I installed Mymail-Crypt. It’s one of several “pretty good protection,” or PGP, encryption programs. Using it, my messages appear to be a jumbled bunch of letters until the recipient decrypts it using their private key, which I can save to a key server, like the aptly named Keyserver, where it’s searchable by my email or key ID. I can then link to it on my personal profiles such as Facebook or LinkedIn. People can then send an encrypted email to me using my public key that cannot be read without my private key to unlock it. I’ve also started encrypting my G-Chats using Off the Record chat.

Email can be used against you. Phishers have started to send more sophisticated emails imitating individuals or companies you trust in order to convince you to give up information like your social security number or credit card data. Drew Mitnick a junior policy counselor at digital rights advocacy group Access Now, said you need to be vigilant no matter what you’re doing on the internet.

“Ensure that whoever you’re dealing with is asking for appropriate information within the scope of the service,” he said. In other words, Gap shouldn’t be asking for your Social Security number.

To limit cookies and other data collection during your Internet use, you can open incognito windows in Google Chrome. In incognito mode, the pages you view don’t stay in your browser or search histories or your cookie store—though your Internet service provider and the sites you visit still have a record of your browsing.

Finally, encrypt your hard drive. Privacy laws vary from state to state and country to country so the best way to ensure that you’re protected no matter where you are is to encrypt your computer and be careful not leave it where someone can mess with it, said Mitnick.

Phone footprint

Another source of vulnerability for many people is a smartphone. As long as you have a phone, you’re on the grid—phone companies can triangulate your position using cell phone towers and location services, and they log your calls. Beyond that, though, there are steps you can take to limit information people can access about you using your phone.

First, be judicious when installing apps. Carefully read the permissions an app requires for installation, and if you’re uncomfortable with them, don’t install it! Read privacy policies and terms of use so you know what data the app keeps on you.

Because I have a Windows phone, many of the basic apps (alarms, maps, Internet Explorer, music, and Microsoft Office) are Microsoft apps and use their terms of use and privacy policy, which is pretty good about not sharing my information with third parties. They also delete your account data after you delete their app, though it may take a few weeks.

I have several social apps, such as the aforementioned Facebook and Pinterest, for which the privacy settings are fairly similar to their desktop counterparts—not very private—with the added bonus of them now having access to my location and phone number. It’s entirely possible—and advisable, if you’re trying to leave a minimal footprint—to live without these apps, but I choose not to.

I’m selective about the apps I install on my phone. Aside from the apps that come with the phone and my social media apps, I only have Uber—and that has a lot of access to my phone. According to the app information, Uber can access my contacts, phone identity, location, maps, microphone, data services, phone dialer, speech and web browser. That’s a lot, and not all of it seems necessary—why does Uber need my contacts? Again, though, I chose to compromise my privacy on this one because the convenience, for me, outweighed the risk.

A precaution I’ve always taken is turning off my location service unless I need it. While my cell phone company can still track me, this prevents my apps from accessing my location. I don’t need Pinterest or Facebook to know where I am to get what I want out of the app, so I don’t provide that information to them.

One of the projects Access Now has been working on is “super cookies”—when you use your cell phone, the cell companies can attach unique identifiers to your browsing as you go across multiple sites. Many companies don’t even offer opt-outs. AT&T has now stopped using super cookies, but other companies still do so.

If you don’t already, use two-step verification whenever possible to ensure that no one but you is logging onto your accounts. This process, used by Gmail, has you enter your password and a one-time numerical code texted to a phone number you provide.

Set a passcode to your phone if you haven’t already, and make it something people couldn’t easily guess—don’t use your birthday, for example. I’ve started using random numbers and passwords generated for long-defunct accounts like my middle school computer login that I memorized years ago but that can’t be linked back to me.

Amie Stepanovich of Access Now suggested using four unrelated words strung together for online account passwords—they’re even harder to hack than the usual suggestions of capital and lowercase letters, symbols and numbers.

One final precaution you can take is to encrypt your device. Apple has already started encrypting its phones by default, and Google has promised to do so. Regardless, you can turn on encryption yourself. I have a Windows phone, which does not allow for easy encryption—in fact, I can’t encrypt my SD card at all. To encrypt my phone, I need to log in to Office 365 on my laptop and change my mobile device mailbox policies to require a password, encryption, and an automatic wipe after a number of passcode fails I choose. I then log into Office 365 on my phone to sync the new settings. It’s much more straightforward for an Android—just go to settings, security, and choose “Encrypt phone.”

Off the grid? Not even close

For me – and most people, it’s not feasible to live entirely off the grid. Between my debit card, various online accounts and smartphone, I pour my personal data into company and government databases every day. The trick is to live on the grid intelligently, only providing the information that is necessary and taking steps to protect your devices from unauthorized access.